selinux-policy/backport-Allow-xenstored-change-its-hard-resource-limits.patch

From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 26 Sep 2022 15:00:49 +0200
Subject: [PATCH] Allow xenstored change its hard resource limits

Addresses the following AVC denial:

type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid
type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null)
type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc:  denied  { setrlimit } for  pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0

Resolves: rhbz#2125693
Signed-off-by: lujie42 <lujie54@huawei.com>
---
 policy/modules/contrib/xen.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index bbda6032b..6e1e83b4d 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -423,6 +423,7 @@ optional_policy(`
 #
 
 allow xenstored_t self:capability { dac_read_search  ipc_lock sys_resource };
+allow xenstored_t self:process setrlimit;
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
-- 
2.27.0
update upstream patches 2022-11-27 22:53:05 +08:00			`From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001`
			`From: Zdenek Pytela <zpytela@redhat.com>`
			`Date: Mon, 26 Sep 2022 15:00:49 +0200`
			`Subject: [PATCH] Allow xenstored change its hard resource limits`

			`Addresses the following AVC denial:`

			`type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid`
			`type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null)`
			`type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc: denied { setrlimit } for pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0`

			`Resolves: rhbz#2125693`
			`Signed-off-by: lujie42 <lujie54@huawei.com>`
			`---`
			`policy/modules/contrib/xen.te \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te`
			`index bbda6032b..6e1e83b4d 100644`
			`--- a/policy/modules/contrib/xen.te`
			`+++ b/policy/modules/contrib/xen.te`
			@@ -423,6 +423,7 @@ optional_policy(`
			`#`

			`allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource };`
			`+allow xenstored_t self:process setrlimit;`
			`allow xenstored_t self:unix_stream_socket create_stream_socket_perms;`
			`allow xenstored_t self:unix_dgram_socket create_socket_perms;`

			`--`
			`2.27.0`